Um, not that I know of. A quick check, though, the QR code is a bunch of binary data, so I dove into the source code: https://github.com/signalapp/libsignal-client/blob/4446b648f...

> very amused that the author censored part of the QR code, but not the human readable text below it containing the exact same data

So what is it now, does it contain the phone numbers or not? Am I allowed to be 'very amused' at you for also not knowing what's in the QR code? :-)

Any phone numbers are censored in the screenshots, only the safety number is not. But the QR code doesn't contain the phone number, as you just saw in the source code (assuming I correctly identified the relevant part, I just looked for uses of qr codes, found getScannableFingerprint and followed the trail through libsignal from there).

Strictly speaking, though, the QR is not the same as the text below: the safety number below doesn't appear to include a version number (same file, lines 14-16). But that's just a technicality.

Either way, I was also amused as my understanding was also that the QR code is the same as the 'safety number' shown below. What confuses me is that the author knows what a CVE is and knows all the right channels to do responsible disclosure, but is apparently confounded by the situation that no key change is shown when they key didn't change. I am rather happy that you can keep your key material: I'd go insane if I had to reverify everyone who adds a new device legitimately (try Wire if you want that experience), I'd certainly stop doing it for any but the most stable and important of contacts. I'd also somehow need to establish a second encrypted channel to exchange the new key material because I don't meet most people in real life these days.